In The Name of Almighty ALLAH (J.J.

H), the Most Merciful & Beneficent

ii

Dedication

Dedicated To
My Beloved, Dearest and Loving
Mother, Father, Sister, Brothers, Teachers
And All My Family Members
Who motivated, supported & encouraged me in every part
of life
And whatever I am today, it is just because of them
And to all my sweet cousins.

iii

Table of Contents
Characterization of Nuclear Facilities Identification of Vital Areas in Different Type of Nuclear Facilities
....................................................................................................................... Error! Bookmark not defined.
List of Figure ................................................................................................................................................. iii
List of Tables ................................................................................................................................................ iv
Abstract ......................................................................................................................................................... v
1

Introduction .......................................................................................................................................... 1
Background ................................................................................................................................... 1
OBJECTIVE. .................................................................................................................................... 2
SCOPE ............................................................................................................................................ 3
STRUCTURE ................................................................................................................................... 3

Facility Characterization........................................................................................................................ 4
Facility Characterization Areas of Investigation............................................................................ 4
Physical Conditions ............................................................................................................... 4
Facility Operations ................................................................................................................ 4
Facility Policies and Procedures ............................................................................................ 5
Regulatory Requirements ..................................................................................................... 6
Safety Considerations ........................................................................................................... 6
Legal Issues............................................................................................................................ 7

VITAL AREA IDENTIFICATION PROCESS ................................................................................................. 8

PROCESS OVERVIEW ..................................................................................................................... 8
INPUT TO VAI PROCESS ............................................................................................................... 11
Policy considerations .......................................................................................................... 11
Site and facility characteristics............................................................................................ 13
Conservative analysis of radiological consequences .......................................................... 14
DIRECT SABOTAGE OF INVENTORY ............................................................................................. 14
INDIRECT DISPERSAL OF INVENTORY .......................................................................................... 14

ii

Initiating events of malicious origin .................................................................................... 15

IEMOs that exceed mitigating system capacity .................................................................. 16
IEMOs that are within mitigating system capacity ............................................................. 16
SABOTAGE LOGIC MODEL ........................................................................................................... 16
SABOTAGE AREA LOGIC MODEL ................................................................................................. 17
Data collection and entry .................................................................................................... 17
Walk down the Facility ........................................................................................................ 18
Spatial interactions ............................................................................................................. 18
CANDIDATE VITAL AREA SETS ..................................................................................................... 18
VITAL AREA SET SELECTION ........................................................................................................ 19
4

DOCUMENTATION OF RESULTS .......................................................................................................... 19

PROTECTING INFORMATION........................................................................................................... 19

Summary and conclusions .................................................................................................................. 20

References .......................................................................................................................................... 21

APPENDIX A: SABOTAGE LOGIC MODEL ............................................................................................. 22

iii

List of Figure
Figure 1.1 VAI PROCESS ................................................................................. Error! Bookmark not defined.
Figure 3.1 Sabotage Fault Tree ...................................................................... Error! Bookmark not defined.

iv

List of Tables
Table 1............................................................................................................ Error! Bookmark not defined.
Table 2 Common Logic Model Representations ............................................ Error! Bookmark not defined.

Abstract
The possibility that nuclear or other radioactive material could be used for malicious purposes
cannot be ruled out in the current global situation. States have responded to this risk by engaging
in a collective commitment to strengthen the protection and control of such material and to
effectively respond to nuclear security events. The first step is characterize the facility to be
protected against malicious acts. Before any decisions can be made concerning the level of
protection needed, an understanding of what is being protected and the surrounding environment
is essential. Too often this crucial step is overlooked and security systems are designed that either
overprotect a nonessential component or fail to adequately protect a vital portion of the facility.
When characterizing a facility, information about as many different aspects of the facility as
possible must be obtained and reviewed. This report also presents a structured approach to
identifying the areas that contain equipment, systems, and devices to be protected against sabotage.
The method builds upon safety analyses to develop sabotage logic models for sabotage scenarios
that could cause unacceptable radiological consequences. The sabotage actions represented in the
logic models are linked to the areas from which they can be accomplished. The logic models are
then analyzed to determine areas that must be protected to prevent these unacceptable radiological
consequences.

1 Introduction
The possibility that nuclear or other radioactive material could be used for malicious purposes
cannot be ruled out in the current global situation. States have responded to this risk by engaging
in a collective commitment to strengthen the protection and control of such material and to
effectively respond to nuclear security events. States have agreed to strengthen existing and
established new international legal instruments to enhance nuclear security around the world.
Nuclear security is fundamental in the management of nuclear technologies and in applications
where nuclear or other radioactive material is used or transported.
Each State carries the full responsibility for nuclear security, i.e. to provide for the security
of nuclear and other radioactive material and associated facilities and activities; to ensure the
security of such material in use, storage or in transport; and to combat illicit trafficking and the
inadvertent movement of such material. It should also be prepared to respond to a nuclear security
event. The IAEA recommendations for the protection of nuclear installations against sabotage are
contained in Nuclear Security Recommendations on [1]. After the attacks of 11 September 2001,
the perception of the potential terrorist threat to nuclear installations changed significantly, and the
IAEA initiated an effort to develop a series of guidance publications on the security of nuclear and
radioactive material and facilities.
This report presents a structured approach to identifying the areas that contain equipment,
systems, and components to be protected against sabotage. It specifically provides detailed
guidance with regard to the identification of vital areas, that is, the areas to be protected in high
consequence facilities [2].

Background
The first step in the Design and Analysis Process Outline (DEPO) is to Define the PPS
Requirements. is to characterize the facility; and that is to clearly understand what to protect.
Initially the analyst must identify the areas of investigation for this facility characterization
process, and then proceed to collect the information from these areas [2]. After acquiring complete
information about the facility, then there comes the process of vital area identification (VAI).

Identification of vital areas is an important step in the process of protecting against sabotage.
Vital area identification is the process of identifying the areas in a nuclear facility around which
protection will be provided in order to prevent or reduce the likelihood of sabotage. [1]
henceforth referred to as indicates that nuclear material in an amount which if dispersed could
lead to high radiological consequences (HRCs) and a minimum set of equipment, systems, or
devices needed to prevent HRCs, should be located within one or more vital areas, and be located
inside protected area1. All measures that have been designed into the facility for safety purposes
should be taken into account when identifying vital areas.

OBJECTIVE.
The one of the objective of this report is to clearly understand the process of characterization
of the Nuclear Facility. Major areas of investigation for facility characterization include the
complete information about the facility location, physical conditions, operations, safety
procedures, regulatory requirements etc. On the basis of which we must initiate the vital area
identification process. The second objective of this report is to describe a VIA process that can be
used to (i) identify all candidate sets of vital areas at a nuclear facility and (ii) select a specific set
of vital areas that will be protected. The process for selection of a specific set of vital areas to be
protected is based on consideration of the potential radiological consequences of sabotage, and the
operational, safety, and physical protection objectives for the facility.

High radiological consequences, as referred to in Ref. [1], indicate relatively severe radiological consequences

resulting from large nuclear facilities such as nuclear power plants. The level of protection for vital areas specified in
Ref. [1] is similar to that required to prevent the theft of Category 1 nuclear material. In the context of a graded
approach, the areas that require protection for inventories in lower consequence categories (above unacceptable
radiological consequences but below high radiological consequences) can be identified using the process described in
this publication, although these areas may require lower levels of protection than required for vital areas.

SCOPE
This report focuses on the processes of facility characterization and VAI at nuclear facilities.
These processes can be used to identify the vital areas at existing facilities, and to evaluate the
effect that design changes to existing facilities and design and layout features of new facilities may
have on vital area selection.

STRUCTURE
Section 1 provides the background, objectives, and scope of this report. Section 2 discusses
the processes used to characterize a nuclear facility. Section 3 discusses the process used to identify
vital areas, and the expected results of the process. Also, it outlines policy considerations that must
be addressed by the competent authority (State regulatory body) and actions by the operator prior
to the start of VAI, and describes the step-by-step process leading to the selection of a minimum
set of areas in a nuclear facility that should be protected as vital areas. Section 4 provides guidance
for documenting the results of VAI .The Appendix provides an example of how logic models can
be solved to identify candidate vital area sets.

2 Facility Characterization
The first step in designing a new PPS, or upgrading an existing system, is to characterize the
facility to be protected [2].

Facility Characterization Areas of Investigation

Major areas of investigation for facility characterization include:
1. Physical conditions
2. Facility operations
3. Facility policies and procedures
4. Regulatory requirements
5. Safety considerations
6. Legal issues

Physical Conditions
Perhaps the easiest area to characterize is the physical conditions. Physical conditions
characterization includes identifying the site boundary, the number and locations of buildings in
the complex, room locations within buildings, access points, existing physical protection features,
and all infrastructure details. This information is normally available in blueprints and drawings of
the facility. Physical infrastructure that should be reviewed includes heating, ventilation and air
conditioning systems, communication paths and type (fiber optic, telephone, computer networks,
etc.), construction materials of walls and ceilings, power distribution system, locations of any
hazardous materials, and exterior areas. Physical aspects of a site also include an understanding of
the vegetation, wildlife, background noise (such as airports, rail yards, major highways or
electromagnetic interference), climate and weather, and soil and pavement. This information can
be used to predict adversary paths into a facility, establish target locations, and identify potential
sources of nuisance alarms for protection equipment [2].

Facility Operations
Another major area for investigation is facility operations. This will include such things as
major products of the facility, processes that support these products, operating conditions (working
hours, off-hours, emergency operations), and the types and numbers of employees. A large part of

this stage of data collection is the review of the procedures that are used to accomplish the mission
of the facility.
1. Operational Review of Facility
Operational review of the facility should also include an evaluation of the supporting functions
available at the site. This includes procurement procedures, computing resources and distribution,
maintenance activities, operational involvement and location of senior executives, workflow, shift
changes, employee benefits, shipping and receiving, accounting functions, and any other
supporting functions.
2. Additional Operational Details to Survey
Operational details can reveal important transition periods at a facility. For example, at a shift
change many employees can be entering and exiting the facility. This can be an important input
into the design of any access controls for the facility or parking areas. Knowledge of the workloads
and schedule at the shipping and receiving dock will help when designing an asset tracking system
or implementing controls over the movement of raw materials or product into and out of a facility.
This information will establish the operational needs to be accommodated by any security
upgrades. Vehicle activity into and out of a facility, as well as within the facility (if it is a large
industrial complex), will also provide a basis for security effectiveness evaluations and establish
operational constraints that must be considered as part of the security system design [2].

Facility Policies and Procedures

One of the most critical areas for study at a facility includes an understanding of the written
and unwritten policies and procedures used at a site. Although many companies maintain welldocumented collections of this information, it is not uncommon to find that employees use other,
undocumented procedures to do their work. This lack of alignment can at times cause serious
discrepancies in the way things are expected to be done and the way they are, in fact, accomplished.
It is very useful to spend some time at a facility observing how things are done. One way to do this
is through guided tours of the facility accompanied by knowledgeable or responsible personnel,
but it can also be revealing to spend time independently visiting all of the areas of the facility, and
watching the general operations.

1) Training on Corporate Policies and Procedures

Training on the correct interpretation and application of corporate procedures must be provided
at the facility. If employees are expected to maintain certain security levels, but have no training
on what this means on a day-to-day basis, there can be disappointment on all sides. Corporate
training should be available to solidify the expectations for employee behavior and show that
management is fully committed to the physical protection policy.
2) Security Culture
A current emphasis by the International Atomic Energy Agency is to instill a good Security
Culture into the member States. Security Culture has three different layers that should be
investigated. The first is the underlying assumption that drives the whole culture Are we
vulnerable to a threat? If this is truly felt, then the next layer of espoused values will indicate that
the management intends to counter that threat. Finally, many visible artifacts of a good Security
Culture will be seen. These are, generally, the areas suggested to be surveyed. It includes
structures, leadership behaviors, individual behaviors, and the general condition of the PPS
equipment [2].

Regulatory Requirements
All facilities, no matter what their product or business, are responsible to some regulatory
authority. In addition, every facility must meet certain standards in their work practices. These
may be standards imposed by professional organizations, or they may be best practices within an
industry. All construction must meet a variety of state and local building codes. Regardless of the
formality of the regulation, it is important to understand the nature of all the regulations a facility
may be expected or required to meet. These requirements must be considered as a security system
is designed. Obviously, any security system that is implemented cannot put the company at risk of
violating any regulations. These regulations then become an important requirement for the design
and implementation of the security system.

Safety Considerations
Safety and security do not have the same goal, although they are complementary functions.
The safety function wants to give personnel free and rapid egress in case of an emergency and the
security function wants to control all egress even in an emergency. This is the classic conflict

between safety and security--safety people want evacuation as fast as possible and security people
want to be sure that no asset is stolen or left unprotected.
It should be clear that an important voice in the design of an effective security system will
be the facility or operational safety officer. Safety and security personnel must work together to
design systems that will be effective in normal (daily operations), abnormal (for example, a fire)
and malevolent conditions (an attack on the facility by a human adversary). Conflicts between
safety and security should be resolved by sound and integrated solutions [2].

Legal Issues
Perhaps the most visible and complex aspect of facility characterization is a thorough
review of the legal issues that should be considered when designing and implementing a security
system. Legal issues cover liability, privacy, access for the disabled, labor relations, employment
practices, proper training for guards, the failure to protect personnel, and excessive use of force by
guards, to list only a few. A good understanding of the criminal justice system will be a very useful
component in the design and implementation of a PPS. Each facility will need to make its own
assessment of which legal issues are concerns and what actions will be taken based on this
information. Some of the legal issues associated with physical protection are security liability,
failure to protect, overreaction, and even labor/employment issues.

3 Vital Area Identification Process

This section describes the process used to identify vital areas in a nuclear facility. The vital
area concept is used to define a boundary around the vital equipment, systems, or devices, or
nuclear material to which physical protection can be applied. The objective of the VAI process is
to identify a set of areas of a facility containing the equipment, systems, structures, components,
devices, or of operator actions that, if adequately protected, will prevent HRCs.
The VAI process should be repeated when design changes are being considered or prior to
their implementation, and when the threat has been modified. The best time to apply this process
is in the design phase of a new facility, when physical protection can be optimized, and retrofitting
avoided [2].

Process Overview
The VAI process is depicted in Figure 1. The steps of VAI are as follows:
1) Gather information that is input to the VAI process.

a. Policy considerations. Address the key policy considerations essential to the VAI
process.
b. Site and facility characteristics. Determine the inventories of nuclear and
radioactive material. Evaluate the facility and site characteristics needed to
determine whether sabotage could lead to URCs.
c. Conservative analysis for each inventory. Determine whether the complete release
of any inventory could exceed the HRC criteria. Include direct dispersal of any such
inventory as an event in the sabotage logic model and continue with the process
described below.
2) Identify any initiating events of malicious origin (IEMOs) that can lead indirectly to HRCs.
3) Identify any IEMOs that exceed the capacity of mitigation systems. Include each such
IEMO as an event leading to HRCs in the sabotage logic model.
4) Identify systems to mitigate each IEMO. For each IEMO that does not exceed mitigating
system capacity, identify the safety functions necessary to mitigate the IEMO, the systems
that perform the safety functions, and the success criteria for the systems.

5) Develop a sabotage logic model. Develop model that identifies the combinations of events
(direct dispersal, IEMOs that exceed mitigating system capacity, and IEMOs coupled with
mitigating system disablement) that would lead to HRCs.
6) Eliminate from the sabotage logic model any events that the assumed threat does not have
the capability to perform.
7) Identify the locations (areas) in which direct dispersal, IEMOs, and the other events in the
sabotage logic model can be accomplished. Replace the events in the sabotage logic model
with their corresponding areas.
8) Solve the sabotage area logic model to identify the combinations of locations that must be
protected to ensure that HRCs cannot occur.
9) Select the vital area set that will be protected to prevent sabotage leading to HRCs.
Facility safety analyses can provide valuable information and models to support VAI. If a
deterministic safety assessment (DSA) or a probabilistic safety assessment (PSA) has been
completed for the facility, it will provide analyses of response of the facility to various initiating
events (IEs) that could be caused by random failure, human error, etc. These events could also be
caused by malicious acts. DSAs and PSAs provide extensive information on site and facility
characterization that will be useful to the VAI team.
Facility safety analyses can provide valuable information and models to support VAI. If a
deterministic safety assessment (DSA) or a probabilistic safety assessment (PSA) has been
completed for the facility, it will provide analyses of response of the facility to various initiating
events (IEs) that may be caused by random failure, human error, etc. These events could also be
caused by malicious acts [2].

10

Figure 1.1: VAI PROCESS [2] .

11

Input to VAI Process

Before starting VAI process, we must need some inputs such as policy considerations,
operational states of facility, facility characterization etc. On the basis of which we start the process
of VAI.

Policy Considerations
Policy considerations to be addressed prior to initiation of the VAI process are:
1. The explicit definition of unacceptable radiological consequences (URCs) that will require
protection against sabotage;
2. The explicit definition of HRCs that will require designation and protection of vital areas;
3. The operational states for which vital areas should be identified and protected;
4. The safe facility state that should be achieved following a sabotage attack for each
operational state;
5. Whether equipment unavailability events, other than malicious disablement acts, should be
considered to occur concurrent with a sabotage attack;
6. Whether the analysis can take credit for accident management recovery actions following
a sabotage attack;
7. The threat against which the facility should be protected [2].
More detailed consideration will be given to each of these issues in the following sections.
I.

Unacceptable Radiological Consequences

The first significant policy consideration is the explicit decision regarding
unacceptable radiological consequences and high radiological consequences. Typically,
these consequence levels would be defined in terms of an unacceptable dose level,
unacceptable radioactive material release level or unacceptable plant state, such as core
damage for an NPP. It should be noted that if HRCs are identical with those defined by the
State in relation with nuclear safety considerations, the safety analyses performed for the
facility could be used for VAI without significant modification.

12

II.

Determination of operational states to be assessed

Some facilities may have more than one operational state, such as normal operation, plant
shutdown, and reactor refueling for power reactors. These different operational states may rely on
different equipment to perform necessary safety functions and may require different physical
protection measures to protect the equipment and material. The competent authority should
identify or approve the operational states to be considered in the VAI process. The identification
of vital areas for all operational states can be accomplished by analyzing each operational state, or
by identifying a bounding operational state that will ensure protection during all states. Operational
states to be assessed should be determined considering the possibility of HRCs during each
operational state [2].
III.

Safe facility state

There may be a number of facility states that, if achieved subsequent to an accident or transient,
are designed to maintain the facility in a safe state. In principle, all nuclear facilities must maintain
the fundamental safety functions [4] of:
a. Control of reactivity
b. cooling of radioactive material
c. Confinement of radioactive material.
For nuclear power reactors, the safety function of cooling of radioactive material is often
further itemized as reactor coolant pressure control, reactor coolant inventory control, and decay
heat removal. The defined facility safe state(s) may differ for analysis of different facility
operational states. The competent authority should identify or approve the safe facility state for
each facility operational state.
IV.

Credit for recovery actions

The VAI team should be careful to identify all implicit and explicit assumptions about
personnel actions included in the safety and other analyses used as input to the VAI. After these
actions have been identified, the team should determine whether credit can be taken for such
actions as part of the facility response to sabotage. During the course of the VAI, the team may

13

also identify possible recovery actions to compensate for disabled equipment. In this case too, the
VAI team should determine whether credit should be taken for the recovery actions as part of the
facility response to sabotage. The VAI team should document the rationale for crediting personnel
actions, including recovery actions.
V.

Threat characteristics

Physical protection of nuclear facilities should be based on the States current evaluation of
the threat. The competent authority should specify the threat characteristics against which the
operator should provide protection in a design basis threat or other threat evaluation. The threat
characteristics are used in the VAI process to determine the malicious acts the threat is capable of
performing [2].

Site and Facility Characteristics

The first step in performing sabotage analysis is to determine the inventories of nuclear or
radioactive material present and the facility and site characteristics that will be needed to determine
whether sabotage could lead to URCs. This requires information
i.

The site (area in which the facility is located).

Information on the population density in the vicinity of the facility and other site characteristics

may be needed to determine the potential consequences of radiological releases if the criteria for
URCs is directly related to off-site exposure rather than a surrogates, such as core damage or
containment failure.
ii.

The facility, such as:

Information is needed on the locations of nuclear and radioactive material, inventory forms,

characteristics, and quantities. I information on the nuclear facilitys critical safety functions (e.g.
shielding, criticality prevention, cooling, confinement, fire prevention, structural integrity); and
the process and safety system details in order to determine the equipment, systems, and devices
that must be protected in order to prevent HRCs.
The information needed for site and facility characterization should be available from the
facility safety case or other safety analysis documentation.

14

Conservative Analysis of Radiological Consequences

A conservative analysis should be performed to determine the potential radiological
consequences of the complete release of each nuclear or radioactive material inventory at the
facility. The analysis should be performed without consideration of physical protection and
mitigation measures present at the facility.
If the potential radiological consequences estimated for an inventory under these
conservative analysis conditions are below the URCs, sabotage leading to URCs is not possible
for this inventory. Consequently, it is not necessary to designate any areas to be protected against
sabotage for this inventory. For such inventories, the operator should protect safety related
equipment and devices by controlling access and securing them. If the potential consequences are
between the URC and HRC levels established by the State, the operator should identify the areas
to be protected against sabotage and protect them as specified by State requirements. If the
potential consequences are above the HRC level, the operator should identify vital areas as
described in the following sections and protect them as recommended in [1].

Direct Sabotage of Inventory

Acts that lead directly to release of radioactive material are those that apply energy from an
external source (for example, an explosive or incendiary device) to disperse the material. If the
potential radiological consequences of the release of a complete inventory are equal to or greater
than the HRC level, the direct dispersal of the inventory should be included in the sabotage logic
model as a potential malicious act leading directly to HRCs, and the remaining steps of the vital
area identification process should be performed for the inventory. The feasibility that the threat
could cause direct dispersal of the inventory is addressed when the threat characteristics are
considered later in the process.

Indirect Dispersal of Inventory

Malicious acts that lead indirectly to the release of nuclear and other radioactive material are
the ones that use the potential energy (i.e. heat or pressure) contained in the nuclear or radioactive
material or in a process system to disperse the material. Indirect sabotage attacks do not require
that the adversary gain access to the area in which the material is located; instead, they involve

15

attacks against equipment, systems, structures, components, devices or operator actions that
normally maintain the facility in a safe state. If the potential radiological consequences of the
release of a complete inventory are equal to or greater than a HRC limit, the possibility of sabotage
that could lead indirectly to HRCs should be considered. To determine the areas that should be
protected to prevent acts that lead indirectly to HRCs, two types of sabotage attacks should be
considered, namely those:
1. Causing an IE that creates conditions more severe than the facility mitigating systems can
accommodate (that is, events that are beyond the safety design basis);
2. Causing an IE and disabling the systems needed to mitigate the effects of the IE.
An IE that is deliberately caused by an adversary in an attempt to cause a release from a facility is
called an IEMO [2].

Initiating Events of Malicious Origin

The main purpose of this step in the VAI process is to produce a list of malicious acts by
which the potential adversary might initiate a chain of events leading to HRCs. When identifying
the IEMOs, the VAI team should consider three categories of events that may not be included in
the safety case and that should be included in the VAI process:
1) The first category of IEMOs not included in safety assessments involves situations in which
there is no process energy or other energy sources present that could disperse radioactive
material. For example, malicious acts involving explosives or other sources of energy for
breaching or dispersal could cause barriers to fail or radioactive material to be dispersed in
a manner not possible without a malicious act. Because these IEs are not possible without
a malicious act, they are not usually addressed in the safety analysis.
2) The second, related, category of IEMOs that may not have been addressed in the safety
analysis includes those IEs that are so unlikely to occur randomly that they are excluded
from consideration. For example, multiple independent IEMOs or massive breaches or
failures of passive components that, while extremely improbable as random events, can be
accomplished by an adversary equipped with explosives or other resources, including in
situ resources.

16

3) The third category of IEMOs involves sources of radioactive material releases that may not
have been within the scope of safety documents.

Iemos That Exceed Mitigating System Capacity

Every IEMO that exceeds mitigating system capability should be included in the sabotage
logic model as a potential malicious act leading to HRCs. The feasibility that the threat could cause
an IEMO that exceeds mitigating system capability is addressed when the threat characteristics are
considered later in the process.

Iemos That Are Within Mitigating System Capacity

In order to address IEMOs that are within mitigating system capability, the combinations
of IEMOs and mitigating system disablement events that could lead to HRCs should be
determined. The mitigating system includes operator actions. These combinations of events that
lead indirectly to HRCs are detailed in the sabotage logic model. The possibility that the threat
could cause the IEMOs or disablement events is addressed when the threat characteristics are
considered later in the process.
Systems that are used to mitigate IEs are ones that support safety functions such as reactivity
control, decay heat removal, coolant boundary integrity, and containment integrity. The systems
that directly perform critical safety functions are defined to be front line systems and those required
for proper functioning of the front line systems are defined to be support systems. The successful
operation of a front line system may depend upon the availability of one or more support systems,
and it is essential that these dependencies be identified. Successful operation of a front line system
(success criteria) means the minimum performance needed for the fulfillment of the systems
safety function under the specific conditions created by an IEMO [2].

Sabotage Logic Model

The next step in performing a VAI is constructing a sabotage logic model that identifies the
events or combinations of events that could lead to HRCs necessitating protection in vital areas,
including the direct dispersal of radioactive material, IEMOs that exceed mitigating system
capacity, and the combinations of events that will lead to HRCs for IEMOs that are within

17

mitigating system capacity. A logic model can be a statement; an algebraic expression; or a

graphical representation, such as a fault tree or an event tree. The sabotage logic model includes
all direct dispersal events and all IEMOs and associated mitigating system failures that will cause
HRCs.
Direct dispersal and IEMOs that exceed mitigating system capacity are included in the logic
model as single events leading to URCs. The portion of the logic model that deals with IEMOs
within mitigating system capacity includes each such IEMO combined with the malicious
disablement of the specific systems designed to mitigate the IEMO. Logic models for system
disablement are developed to the component level using a top-down approach. The logic models
must be developed in sufficient detail to allow linking of disablement events to the facility
locations (areas) in which disablement can be accomplished.
The sabotage logic model will have the direct dispersal events, the IEMOs, and the events
that disable mitigating system components as basic events. A simple example of a sabotage logic
model is provided in the Appendix A.

Sabotage Area Logic Model

The next step in the VAI process is identifying and documenting the areas from which an
adversary could accomplish each event in the sabotage logic model. The information about these
areas is collected through a structured process and verified by conducting a walk down of the
facility. Spatial interactions among the adjacent areas should also be considered as discussed
below.

Data Collection and Entry

The area data are entered into the sabotage logic model by replacing each event (each direct
dispersal event, IEMO, and each mitigating system disablement event) in the model with the area
or areas in the nuclear facility from which it can be caused. The result is a sabotage area logic
model. The sabotage area logic model can then be solved as described in the following section to
determine the combinations of areas from which malicious acts could cause URCs and the
minimum combinations of areas that should be protected to prevent URCs.

18

Design documents for the nuclear facility provide the information needed to identify the
areas in which the sabotage events can be accomplished. General arrangement drawings should
provide area, room, walls and doors and access route information. Piping and instrumentation
diagrams, isometric drawings, safe shutdown analyses, and fire and seismic PSAs are other sources
of information on equipment locations.

Walk Down the Facility

Area information should be verified by conducting a VAI walk down. In preparation for
the VAI walk down, the team should review the location information The VAI walk down team
should include representatives from the facility safety, security, design and operating
organizations.

Spatial Interactions
Additional consideration is required to address spatial interactions between adjacent areas.
There may be cases in which a malicious act in one area can disable equipment, components, or
devices in one or more adjacent areas.

Candidate Vital Area Sets

Identifying candidate sets of vital areas is accomplished in two steps:
1. Identify target sets:

The sabotage area logic model is analyzed to determine all

combinations of areas to which an adversary would have to gain access in order to complete
sabotage scenarios that could lead to HRCs. Each such combination of areas is a minimal
cut set of the sabotage area logic model, and represents the full set of target areas an
adversary needs to penetrate in order to accomplish a sabotage scenario.
2. Identify protection sets: The sabotage area logic model is analyzed to determine the
minimum combinations of areas that should be protected in order to ensure that no sabotage
scenarios could be completed.
The process of solving the sabotage area logic model to identify candidate vital area sets is
illustrated in the Appendix.

19

Vital Area Set Selection

This step in the VAI process is to select a vital area set from the candidate vital area sets. Each
of the candidate vital area sets meets the recommendation in [1] for a set of facility vital areas. The
facility operator may choose to protect any one of the candidate vital area sets. In making the
selection of a set of areas to protect, the operator could take into account various factors important
to safe and efficient operation of the facility. For example, the operator might select the candidate
vital area set that provides the optimum combination of:
1. Low impacts on safety, plant operations, and emergency response;
2. Low difficulty of providing protection;
3. High effectiveness of protection measures and low cost of protecting the vital areas [2].

4 Documentation of Results
The objective of the analysis documentation is to demonstrate that the VAI satisfies the
requirements specified by the competent authority. The documentation should be well structured,
concise and easy to review and update. Updates may be required to reflect changes in the assumed
adversary characteristics as well as modifications to the facility operation, safety systems and
measures, and the locations of facility equipment, systems, structures, components, devices and/or
operator actions. The documentation should explicitly present the assumptions made in the policy
considerations topics discussed in Section 3.2.1 and comply with quality assurance requirements
specified by the competent authority.

Protecting Information
The VAI process generates sensitive information that should be protected properly according to
information security requirements of the competent authority. The information security
requirements and procedures will depend upon the legal system in the State where the facility is
located. Everyone who has access to the information generated in the VAI process should be
required to understand and follow the information security requirements.

20

5 Summary and Conclusions

Nuclear power plants contain large inventories of radioactive materials that could, if released,
cause radiological hazards to workers, the public, and the environment. Any deliberate act directed
against a nuclear power plant that could directly or indirectly endanger public health and safety by
exposure to radiation. It is therefore necessary for each nuclear power reactor licensee and new
reactor applicant to identify the vital areas to which the required protection measures will be
applied. This document provides guidance on a method that can be used by licensees and new
reactor applicants to identify nuclear power reactor vital areas.
The process of collecting information to characterize a facility is very important for design
and evaluation process of PPS. Prior to designing a PPS, as much information as possible should
be gathered to understand the activities at the facility and the facility layout. This will help identify
constraints, document existing protection features, and reveal areas and assets that may be
vulnerable. Areas of investigation include physical conditions, facility operations, facility policies
and procedures, regulatory requirements, safety considerations, legal issues etc. As more
information is collected, additional areas of interest may emerge. When collecting information, a
variety of sources should be used including drawings, policies and procedures, tours, briefings,
reference material, and personal interviews.
Process of facility characterization serve as an input for the process of identification vital areas
of nuclear facility. The process presented in this document provides a structured, logical approach
to identifying the vital areas of a nuclear power plant. The vital areas contain a minimum
complement of SSC and operator actions sufficient to ensure safe operation or safe shutdown of
the plant. The method incorporates information from plant safety documentation, including PRAs.
It employs fault tree analysis to deal with the complexity of a nuclear power plant and to document
the logic employed in the identification of vital areas. The process allows the licensee or applicant

21

to select the set of vital areas that meets the requirement for protection against radiological
sabotage while minimizing impacts of physical protection measures on plant safety, costs, and
operations. Proper documentation of the process will provide the necessary information to
reconstruct the results of the analysis to support review, approval, and updating of the vital area
selection.

6 References
[1] INTERNATIONAL ATOMIC ENERGY AGENCY, "Identification of Vital Areas (IAEA Nuclear Security
Series No. 16)," IAEA, Vienna,Austria, 2012.
[2] INTERNATIONAL ATOMIC ENERGY AGENCY with PAKISTAN NUCLEAR REGULATORY AUTHORITY &
CHINA INSTITUTE OF ATOMIC ENERGY, National Training Course on Physical Protection of Nuclear
Material & Nuclear Facilities, Viena,Austria: IAEA with PNRA & CIAE, 2007.
[3] INTERNATIONAL ATOMIC ENERGY AGENCY, "The Physical Protection of Nuclear Material and
Nuclear Facilities (INFCIRC/225/Rev 5)," IAEA, Vienna,Austria, 2011.
[4] INTERNATIONAL ATOMIC ENERGY AGENCY, "IAEA Safety Glossary 2007 Edition," IAEA,
Vienna,Austria, 2007.

22

7 Appendix A: Sabotage Logic Model

This appendix provides a step-by-step solution of a simple logic model to illustrate how
candidate vital area sets can be identified. The solution of the example logic model demonstrates
how the concepts of minimum cut sets and minimum protection sets are applied in the VAI process.
A logic model can be a statement, an algebraic expression or a graphical representation such as a
fault tree or an event tree. The solution of different representations for the same logical problem
will give the same results. A logic model is solved by applying the rules of Boolean algebra to
the model. Table 2 provides definitions of common logic symbols and Boolean algebra rules.
Consider a fictitious facility that has the following characteristics:
1. There are two initiating events (IEs) identified for this facility, IE1 and IE2, that if
unmitigated will result in releases that exceed the URC limits established by the competent
authority.
2. Safety system S1 is designed to mitigate IE1 and system S2 is designed to mitigate IE2.
3. System S1 has two trains of equipment, T1 and T2. If either of these trains functions
properly, S1 can successfully mitigate IE1 (that is, both trains must fail for S1 to fail).
4. System S2 has three trains, T3, T4, and T5. Either T3 or both T4 and T5 must function in
order for S2 to successfully mitigate IE2 (that is, S2 will fail to mitigate IE2 if either T3 or
T4 fail or T3 and T5 fail).
5. The trains in the systems have components (designated by C below) that must operate for
the trains to function.
T1 fails if either of two components (C1 or C2) fails.
T2 fails if either C3 or C4 fails.
T3 fails if either C5 or C6 fails.
T4 fails if either C7 or C8 fails.
T5 fails if either C9 or C10 fails.

23

6. In order to cause the IEs and disable the various components a saboteur would have to gain
access to different plant areas, designated with L labels below Table 1.

Table 1: Initiating Events and their Location

Event

Location

Disable C1

L1

Disable C2

L2

Disable C3

L2

Disable C4

L2

Disable C5

L3

Disable C6

L3

Disable C7

L5

Disable C8

L6

Disable C9

L6

Disable C10

L6

Cause IE1

L8

Cause IE2

L9

The statements above constitute one form of a logic model for sabotage of the facility. By
carefully analyzing these statements, we could determine the combinations of locations that a
saboteur would have to enter to cause all the IEs and component failures that would lead to URCs.
For example, if a saboteur could gain access to L2 and L8 he could initiate IE1 and disable S1,
resulting in a release that exceeds URC limits. The saboteur can cause IE1 if he gains access to

24

L8. If the saboteur disables both T1 and T2, S1 will not be able to mitigate IE1. T1 can be disabled
by disabling C2 and T2 can be disabled by disabling C3. Both C2 and C3 can be disabled from
L2, so by gaining access to both L2 and L8 the saboteur can cause URCs. By reviewing the
statements and location table in detail, all the combinations of locations from which IEs can occur
sufficient to cause URCs could be identified. As long as the facility is simple enough, it is possible
to derive the location combinations from which sabotage can be accomplished by inspection as
done in the previous paragraph. A more useful approach is to represent the relationships between
IEs, disablement events and locations in a logic equation. The event to be represented in this logic
equation is release in excess of URCs. Using the definitions in Table 2, the following equations
are developed corresponding to statements 1 through 5 above:
URC = IE1*S1 + IE2*S2

(1)

S1 = T1*T2

(2)

S2 = T3*T4 + T3*T5

(3)

T1 = C1 + C2

(4)

T2 = C3 + C4

(5)

T3 = C5 + C6

(6)

T4 = C7 + C8

(7)

T5 = C9 + C10

(8)

In these equations, S1 means safety system 1 is disabled, T1 means train 1 is disabled, C1

means component 1 is disabled, etc. Replacing the events in these equations with the locations in
which they can be caused and simplifying using the rules of Boolean algebra yields the following
results:
T1 = L1 + L2

(9)

T2 = L2 + L2 = L2

(10)

T3 = L3 + L3 = L3

(11)

T4 = L5 + L6

(12)

T5 = L6 + L6 = L6

(13)

S1 = (L1 + L2)*L2 = L2

(14)

S2 = L3*(L5 + L6) + L3*L6 = L3*L5 + L3*L6

(15)

URC = L8*L2 + L9*(L3*L5 + L3*L6) = (L8*L2) + (L9* L3*L5) + (L9*L3*L6)

(16)

25

For this simple example, there are three combinations of locations from which a saboteur could
cause URCs:
URC = L8*L2 + L9* L3*L5 +L9*L3*L6

(17)

Each combination of locations from which sabotage can be caused is called a cut set of the
sabotage location equation. The objective of VAI is to find a minimum set of areas to be protected
against sabotage to prevent all possible scenarios leading to URCs. This means that we must
protect at least one of the areas in each combination of areas from which sabotage can be
accomplished. Each combination of locations whose protection will prevent all sabotage scenarios
is a prevention set for the logic model and constitutes a candidate vital area set. For simple sabotage
location equations it is possible to directly determine the combinations of locations whose
protection will prevent sabotage. From equation 17, it can be seen that if the adversary is prevented
from gaining access to the following combinations of areas, URCs cannot occur.
URC Prevented = L8*L9 + L8*L3 + L2*L9 + L2*L3 + L8*L5*L6 + L2*L5*L6

(18)

In equation 18, the underline indicates that access to the location is prevented; for example,
L8 means access to L8 is prevented. In Boolean algebra terms, L8 is the complement (nonoccurrence or NOT) of L8. For the example facility, there are six candidate vital area sets as shown
in equation 18. This result can also be derived algebraically by forming the complement of the
sabotage location equation and simplifying using the rules of Boolean algebra. The protection of
any one of the candidate vital area sets will ensure that a saboteur cannot cause URCs. If, for
example, we select the set L2 and L3 as the final vital area set, these are the only two areas of the
plant that would be protected as vital areas. Protecting these two areas will ensure that none of the
possible sabotage scenarios can be completed.
Fault trees can be used to efficiently represent the sabotage logic for more complicated
facilities. Figure A-1 provides a fault tree for the example facility that will be solved to further
illustrate the process of identifying candidate vital area sets. The top event in this tree is release in
excess of URC limits (represented by the symbol URC). The logic gates show the ways the events
in the tree combine to cause the top event, and the tree is developed down to the level of component
failures. Figure 2.1 shows the fault tree with all terminal events replaced with the locations from
which the events can be caused. This sabotage location fault tree is solved using the Boolean

26

algebra concepts applied in equations (1) through (17) to produce the same results. The expression
in parenthesis beside each gate is the solution for the gate in terms of the terminal events in the
tree. One way to generate the level 1 protection sets for a fault tree is to form and solve the dual
for the tree. The dual of a fault tree is formed by changing each OR gate in the tree to an AND
gate, each AND gate to an OR gate, and each event to the complement (NOT) of the event. There
are a variety of software packages available for solving fault trees and generating the prevention
sets (candidate vital area sets) needed in the VAI process.
In summary, the sabotage logic model for a facility can be developed in a number of
equivalent forms. The solution of the logic model produces candidate vital area sets that can be
protected to prevent sabotage. Any one of the candidate sets will contain a minimum set of
equipment needed to ensure that no sabotage scenarios can be completed.

27

Table 2 : Common Logic Model Representations

28

Figure 2.1: Sabotage Fault Tree [2] .

29